SSH, SCP, and SFTP

Light at the End

The secure shell gives you an option for securing other Internet services against sniffing via tunneling. To secure an otherwise-unencrypted protocol (such as POP3), forwarding TCP/IP connections to a remote machine by means of an encrypted protocol makes sense. The use of SSH as a SOCKS proxy is another elegant application that lets users transfer encrypted data via a web browser. Setting up a tunnel to a proxy also avoids web content censorship, which is a useful feature in countries that block some websites. If you have a shell account on a machine in a less restrictive country, this approach can give you unimpeded web access.

To start, enable the proxy with the SSH -D option, and at the same time pass in a freely selectable port number. In this scenario, the -f and -N parameters also are useful. The former pushes ssh into the background after logging in and before executing commands, and the latter tells ssh that no commands are to follow; for example:

$ ssh -fN -D 1080 Proxy

After entering the password, the prompt reappears and the shell is ready to accept further instructions. That's all there is to it – the SOCKS proxy is waiting for something to do.

The next step is to set up the SSH client as a SOCKS proxy in the network configuration for the program in question. If this is the Firefox web browser, you can select Edit | Preferences and go to General | Network.

In Connection, click Settings, enable the manual proxy configuration, enter the IP address 127.0.0.1 and the port you previously selected in the SOCKS Host field. SOCKS versions 4 and 5 are available; when in doubt, check the ssh man page to see which version your SSH installation supports. After accepting these changes in Firefox, you can type an address in your browser's address box to verify the connection: http://www.myipaddress.com/; you should see the IP for the remote machine.

Interactive with sftp

In contrast to scp, users work interactively with sftp, just as in any "normal" ftp session. Secure ftp does not expect an ftp server at the other end of the connection, but rather an SSH daemon and, thus, a shell account. As with SSH, set up a connection to the target computer at the command line:

$ sftp huhn@macnugget

After entering your password, you will see the sftp> prompt, which tells you that the program is ready and waiting for further input.

The sftp program is not much different from those used by other shell-based ftp clients; however, you can't set the transfer mode (ASCII or binary) before transferring data because files are sent as-is across the network.

Secure ftp also has some advanced functions for modifying file permissions and ownership. For a comprehensive overview of the available commands, see the help command.

Some practical command-line options facilitate working with sftp. For example, the -C parameter for enabling data compression not only is available for ssh and scp, but also for sftp. The -b <file> option lets you pass in a batch file with the commands you want to run to sftp; however, this will work only if you do not need to enter a password to log in.

If you are interested in a graphical client for sftp, the answer is quite simple: Both KDE's Konqueror and Gnome's Nautilus support sftp perfectly. Just enter the following in the address line of either application,

sftp://user@rechner

and then authenticate with the correct password to use sftp, just like your local file manager.

Heike Jurzik studied German, Computer Science and English at the University of Cologne, Germany. She discovered Linux in 1996 and has been fascinated with the scope of the Linux command line ever since. In her leisure time you might find Heike hanging out at Irish folk sessions or visiting Ireland.

Buy Linux Magazine

Related content

Parallel SSH is the name of an easy-to-configure tool that our resident sys admin, Charly, now routinely deploys whenever he needs to launch the same programs, copy the same files, or kill the same processes simultaneously on multiple computers.

Starting a script on a Linux server with just a few mouse clicks sounds more complicated than it really is. If you want to create attractive and interactive dialogs for your desktop users, all you need is a small utility called SSH and a little Bash know-how.

When a cluster node fails, the Pacemaker high-availability tool launches the services on another node. A lesser known feature is Pacemaker’s ability to put failed services back on their feet in the cluster manager.

To get past a firewall and into a LAN,you need either a secret backdoor or a cooperative agent on the inside. A Jabber client on the LAN contacts a public Jabber server and wait for instructions trickling in as instant messages from its Internet buddies.